Hong Kong was at the forefront of modern legislation when it passed its data privacy law in 1995, setting out strict requirements regarding cross-border data transfers. Section 33 of its Personal Data Protection Ordinance contains a statutory prohibition against any such transfer out of Hong Kong or between jurisdictions unless certain conditions are fulfilled.
At issue here is the definition of “data user”. A data user is defined as any individual who controls the collection, storage, processing or use of personal data – this includes both themselves as well as subcontractors and agents working under them. Hong Kong stands out among data privacy laws by not including extraterritorial application provisions in their definition of data user, instead defining one as anyone whose operations control collection, holding, processing or use of data in or from Hong Kong. This is key, given that the PDPO places various obligations on data users, including meeting its six DPPs and meeting its statutory requirement of explicitly informing data subjects about why their personal data will be collected or transferred abroad – even though their original purpose for collection may have remained the same. As clarified by PCPD rulings, such obligations arise when personal data are transferred overseas for processing even though its purpose for collection may have remained the same.
Data users must not only comply with their legal obligations under DPPs, but must also ensure their overseas data processors abide by them via PCPD’s model contractual clauses; this process should be much simpler compared with fulfilling data transfer obligations under GDPR.
As well as adhering to the mandatory data protection provisions of model clauses, data exporters may consider taking additional measures to meet the standards set forth by PDPO in foreign jurisdictions. This might involve technical or procedural steps such as encryption, anonymisation or pseudonymisation as well as split or multi-party processing.
Although there has been some anxiety regarding the impact and difficulties involved in complying with statutory restrictions on the transfer of personal data to jurisdictions where model clauses were written, business views generally seem to have moved away from strict application of this requirement. Instead, this requirement has come to be seen as an essential safeguard against potential threats to personal privacy.
